Skip to content
This repository has been archived by the owner on Oct 23, 2024. It is now read-only.

chore(deps): update dependency pygments to v2.7.4 [security] - abandoned #3339

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 26, 2021

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Pygments (source, changelog) ==2.7.2 -> ==2.7.4 age adoption passing confidence

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-27291

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

CVE-2021-20270

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.


Release Notes

pygments/pygments

v2.7.4

Compare Source

(released January 12, 2021)

  • Updated lexers:

  • Fix infinite loop in SML lexer (#​1625), CVE-2021-20270 <https://nvd.nist.gov/vuln/detail/CVE-2021-20270>_

  • Fix backtracking string regexes in JavaScript/TypeScript, Modula2
    and many other lexers (#​1637) CVE-2021-27291 <https://nvd.nist.gov/vuln/detail/CVE-2021-27291>_

  • Limit recursion with nesting Ruby heredocs (#​1638)

  • Fix a few inefficient regexes for guessing lexers

  • Fix the raw token lexer handling of Unicode (#​1616)

  • Revert a private API change in the HTML formatter (#​1655) --
    please note that private APIs remain subject to change!

  • Fix several exponential/cubic-complexity regexes found by
    Ben Caller/Doyensec (#​1675)

  • Fix incorrect MATLAB example (#​1582)

Thanks to Google's OSS-Fuzz project for finding many of these bugs.

v2.7.3

Compare Source

(released December 6, 2020)


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Contributor Author

renovate bot commented Jun 25, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title chore(deps): update dependency pygments to v2.7.4 [security] chore(deps): update dependency pygments to v2.7.4 [security] - abandoned Aug 6, 2024
Copy link
Contributor Author

renovate bot commented Aug 6, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant